Unlike the security methods of old that rely on isolation, a properly designed physical security platform unleashes the value of the Internet of Things by aggregating information from people, processes, data and things. This unleashing brings a cascade of data from IP-enabled devices, machines and business systems connected via unmodified Ethernet.
In the years ahead, sensor-embedded, Internet-ready equipment and machines will become even more commonplace. This shift towards a connected infrastructure gives IT (Information Technology) and OT (Operational Technology) managers deeper visibility into work flows and offers unprecedented economic opportunities.
But tapping the full potential of smart, connected devices hinges on having physical security and access-control technologies and processes capable of protecting the new streams of industrial data. With the right technologies and processes in place, manufacturers can safeguard people, assets and operations, while deploying an end-to-end IP infrastructure that promises to advance productivity, operating equipment effectiveness (OEE) and innovation.
Implementing Physical Security Best Practices
A common view in industry is that the main source of threats to IP networks is the Internet itself. It’s true; credible threats lurk on the Web. However, IP networks are vulnerable from the Internet right to the edge of the network. In fact, recent instances of non-virtual attacks illustrate the significant need for physical security in industrial operations. Fortunately, it is simple to protect against these threats with defense-in-depth and a layered security model that encompasses robust logical and physical security technology and services.
Step 1. Secure unused ports.
Physical security practices begin with securing unused ports with inexpensive devices called LIBO (Lock In Block Out). They lock in critical connections or block out an unused port to keep it secure. Devices available in the LIBO category, for example, can be inserted into USB ports to prevent the unwanted removal of data and to block potential uploading of viruses. On the other hand, lock-in devices can be used to prevent the unauthorized removal of cables, networking equipment or other vital connections. These can help combat data-security breaches and potential hardware theft, while helping maintain network uptime.
Step 2. Establish a physical, as well as a logical DMZ between networks.
The simple act of patching the industrial network across the enterprise with the intention of “getting things up and running temporarily” can cause inadvertent problems. Establishing a physical and logical DMZ (demilitarized zone) between the two networks is vital. The networks still converge and provide the information transparency we seek, but through strong segmentation using firewalls in a secure and orderly fashion.
Step 3. Consider location tracking.
Capabilities, such as physical security and location tracking, are often important components of an overall security program. Many of these capabilities can be implemented using intelligent networking technologies, such as integrated physical and virtual security and wireless location-based services.
Step 4. Secure the location where data is physically held.
The customer data of retail giant Wal-Mart was potentially put at risk when hard drives were stolen from Vudu — the company’s video service supplier. Vudu announced that thieves had broken into its offices, and stole hard drives containing personal information of users, such as their names, email addresses, account history and the last four digits of their credit card numbers. This was a physical security issue, not a cyber security issue. The good news: Vudu promptly reset the passwords of Walmart’s customers. But the breach showcases the need for securing the physical location where data is housed.
Step 5. Host employee training on security risks.
The Stuxnet virus that reportedly sent several centrifuges spinning out of control at an Iranian nuclear facility in June 2010 is a perfect example of why employee training is necessary. The virus was believed to have been transmitted into the plant’s system using a thumb drive that was inserted into a computer within the facility. That suggests a lack of physical security to monitor personnel access or to protect machine ports.
Close All Trap Doors – Physical and Logical Security Converge
Before the convergence the IP network, security measures were largely separated:
- Video surveillance ran across dedicated analog connections.
- Physical access to buildings was managed entirely across an isolated network instead of the LAN, as it does today.
- Intrusion prevention happened at the firewall.
- Virus scanning and intrusion detection was done on the desktops.
- E-mail (spam) and Web security (acceptable use policies) were limited to users within the organization boundaries only. The risk was that an employee could bring in an infection from outside.
Physical and logical security technologies have matured to the point that they can be integrated. The convergence of the IP network and the migration of legacy sensors and appliances to TCP/IP have helped drive this transformation. Cameras are now IP-based; card readers use the IP network; and access lists, policies and procedures are stored and generated by computers.
Physical Security Considerations Bring IT and OT Benefits
From a physical security standpoint, the introduction of IP network infrastructures is having a significant impact. Plant security is transitioning from analog proprietary systems to IP-based systems deployed through the use of unmodified Ethernet, helping merge data from multiple platforms into a single system that reaches across the enterprise.
This is all part of a larger movement that’s happening between IT and OT. IT is stepping up as owners of security systems, but OT is also interested in leveraging the systems for achieving greater visibility into plant operations.
Implementing physical security technology provides both IT and OT benefits, including:
Unlike security measures of the past, today’s physical security and access control technologies and processes can bring untold benefits to IT and OT managers who work together to protect people, assets and operations. Together, they can deploy an end-to-end IP infrastructure that holds the promise to advance productivity, OEE and your next wave of innovation.
Greg Varga is a physical security business unit technical leader at Cisco, and Bob Voss is a senior principal research engineer at Panduit. They both write on behalf of Industrial IP Advantage.
ENTRIES OPEN: Establish your company as a technology leader. For 50 years, the R&D 100 Awards, widely recognized as the “Oscars of Invention,” have showcased products of technological significance. Learn more.